How Georgia doxed a Russian hacker (and why it matters)

Caucasian conflagration has some wider lessons for online security.

Someone did run the virus, and it did open up a remote connection. The Georgian malware, like the hacker's own malware, could also watch the user's screen and snap pictures from a connected webcam. Soon enough, Georgian authorities say they "captured [the hacker in] the process of creating new malicious modules" for his malware system. Convinced they had their man, Georgian authorities then snapped pictures of the hacker using his own webcam and included them in their report on the incident. In addition, they gained access to the control panel software used to administer the malware and took pictures of that, too.

The Georgians also claim that some of the machines used to control the malware were registered through an "obscure" domain name registrar that was only discoverable by using an Indian WHOIS service. When they did access the contact information for the domain in question, it pointed to the Russian Ministry of Internal Affairs, Department of Logistics—a Moscow location right next to Russia's Federal Security Service (FSB). Taken together, the Georgians believe that the hack was a product of "Russian Official State organizations."

Much of this is remarkably hard to verify—even if the entire story is true, the published information certainly doesn't prove that the address on the WHOIS listing is accurate, for instance. But regardless of what really happened, the decision to publish so much information on a hack and on a hacker—before catching him—is unusual. But Georgia had its reasons for doing so once it was clear that hacker himself would likely never be caught.

The malware control panel, filled with search terms.

Hard Lessons

Big Brother, on your lap. Many casual home computer buyers give no thought to the fact that they are bringing a powerful surveillance tool into their homes, one that can eavesdrop on conversations, watch them walk about the room (and worse), and follow every move they make online. For most, this is still the stuff of science fiction, but the Georgian hack is one more reminder that these tools aren't esoteric at all; indeed, they are widely available online and entire forums have sprung up to trade images of "slaves" (usually women) whose computers have been infected and who are being spied upon, often with voyeuristic or sexual intent.

These "remote access tools" (RAT) are standard fare now not just among hackers but among all sorts of otherwise-reputable organizations. The Lower Merion School District in Pennsylvania famously had such software on its school-issued laptops to deter theft—and used it to watch students. (It paid more than $600,000 to settle the resulting lawsuits.) Computer rental companies have now been widely accused of installing such software to guard against theft, but they too are said to use it casually to spy on users. The "sextortionist" Luis Mijangos in California used such tools to spy on dozens of women. (One was so terrified after Mijangos was able to hear her conversations that she wouldn't leave her dorm room for a week.) In a case I cover in more detail in my forthcoming book, The Internet Police, a substitute school teacher here in the US was so badly traumatized when cops showed up at her door with printouts of her instant messages and video chats that she had to seek counseling.

Such tools, once esoteric, have been aided by the rise of laptops with their built-in microphones and webcams and are now common among hackers. As the Georgian case shows, governments also have no problem deploying when needed. For governments and hackers alike, the ubiquity of computers worldwide now means that the easiest way to eavesdrop is no longer to deploy bugs or secret agents crouching in the bushes; widely available code can do the same job far better, anywhere in the world, almost for free.

Doxing the hackers. Georgia's handling of this situation is unusual. Typically, police agencies investigating online crime do one of two things after identifying a target: 1) ask the country he's in to make an arrest or 2) wait for the hacker to journey somewhere friendly, then snatch him. Approach 1 is right out, since Russia's constitution forbids the extradition of its citizens, and relations between the two countries are frigid at the best of times. Approach 2 has often been taken by US authorities, who have waited for people like alleged spam kingpin Oleg Nikolaenko to visit Las Vegas, where he was arrested (and now sits in a Milwaukee jail cell); in other cases, countries like Germany have arrested wanted hackers as they transit through the country's airports.

But Georgia doesn't really want one particular guy. Clearly convinced that the country is a target of a broad and organized state attack, Georgia appears to be hoping that a little public "name and shame"—complete with pics, for maximum non-deniability—will prove more productive. Google did the same thing when it revealed details about a sophisticated China-centered hack on its own facilities. The goal isn't necessarily to get the host country to ease up on the hacks—though it may have some temporary effect—but to raise public awareness so that other forces like Congress or NATO will themselves put more pressure on some country you can hardly hope to stop alone.

Attribution. When we first covered this story, our own Dan Goodin noted the clear problem with reporting on such events: knowing if they even happened, and if so, who was really behind them. "Attribution—that is, the task of determining what group or country is behind a physical or network attack—has long been a complicated and imprecise undertaking," he wrote. "That makes it hard for disinterested third parties to state with certainty who is behind an attack and easy for the accused party or country to provide facts that seem to rebut the claims."

In all such cases, especially those in which sensitive episodes are talked about publicly, care has to be taken before putting too much credence in the tale. We have no reason to believe that Georgia is wrong in its analysis, but it pays to be aware of the ways that publicizing alleged attacks can be used for domestic political ends or to influence external geopolitical actors. Even if both motives are absent, some information might simply be incorrect or misinterpreted. In the murky world of international hacks, even attempts at transparency can be difficult.

What makes this situation even more interesting is that, in this case, the malware was already vetted by the security company ESET, which earlier this year issued a brief report (PDF) subtitled, "Is someone trying to spy on Georgians?" The company verified many of the technical details about how the malware worked, but its own interpretation of the malware (which apparently predated the Georgians' screenshots of the hacker, etc.) was quite different from Georgia's own:

The level of sophistication for this threat is low. We think that if this operation was sponsored by a state, it would be more professional and stealthy. The most likely hypothesis is that Win32/Georbot was created by a group of cyber criminals trying to find sensitive information in order to sell it to other organizations.

Georgia, however, insists that the virus does live up to state-sponsored status. "The virus we have detected is very sophisticated and requires professional treatment," wrote Irakli Gvenetadze, Chairman of Georgia's Date Exchange Agency in the country's Ministry of Justice, when the Georgian hack report was released.

So easy. The entire complicated story also raises one truly basic question: if a skilled hacker like the person behind the Georgia attacks can himself be so easily viewed with his own webcam... what hope do the rest of us have?